So here it is the full list of Android Malware in a very dangerous year, since August, the 9th 2011 up-to-today.

My birthday gift for the Android is complete: exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.

Scroll down my special compilation showing the long malware trail which characterized this hard days for information security. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention.

As you will notice, the average impact is low, but, the number of malware is growing exponentially reaching a huge peak in July.

Let’s go in this mobile malware travel between botnets, sleepwalkers, biblic plagues and call Hijackers, and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.

First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data.

Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense.

First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands)

Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected.

Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit.

Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions:Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user trying to discipline users that download files illegally from unauthorized sites.

This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers.

A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World).

A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected.

Malware which uses the same exploit than DroidDream, rageagainstthecage, to gain root privilege and install the main malware component. Once installed, the malware has backdoor capabilities and is able to: execute command to delete a supplied file, execute a command to open a supplied homepage, download and install a supplied APK, open a supplied URL, run or start a supplied application package. The malware is moreover capable to obtain some information concerning the device and send them to a remote server: The collected information include: IMEI number, Build version release, SDK version, users’ mobile number, Phone model, Network Operator, Type of Net Connectivity, SD card available memory, Phone available memory. In few words, the device is turned into a member of a botnet.

Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. When an infected application is installed, it attempts to exploit the udev Netlink Message Validation Local Privilege Escalation Vulnerability (BID 34536) in order to obtain “root” privileges. Once running with “root” privileges it installs an executable which contains functionality to communicate with a control server using HTTP protocol and sends information such as Subscriber ID, Manufacturer and Model of the device, Version of the Android operating system. The Trojan also periodically connects to the control server and may perform the following actions: send SMS messages, remove SMS messages from the Inbox and dial phone numbers. The Trojan also contains functionality to monitor phone usage.

Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. Again the threat is as an application for a Chinese gaming community. When executed, the Trojan attempts to send premium-rate SMS messages to several numbers and remove the SMS sent. The Trojan sends device information, such as IMEI and IMSI numbers.

This is a Trojan horse which steals information and may open a back door on Android devices. Available for download in the Android Market embedded in several applications, when the Trojan is executed, it steals the following information from the device: Device ID and Device permissions. The above information is then sent to a remote server from which the Trojan downloads a .jar file which opens a back door and accepts commands to perform the following actions on the compromised device: copies all of the bookmarks on the device, copies all of the history on the device, copies all of the shortcuts on the device, creates a log of all of the activities performed on the device, modifies the browser’s home page, returns the status of the last executed command. The gathered information is then sent to a remote location.

Trojan found in alternative Android markets that predominately target Chinese Android users. This Trojan predominantly affects devices with a custom ROM. The application masquerades as a legitimate one and exploits a vulnerability found in the way most custom ROMs sign their system images to install a secondary payload (without user permission) onto the ROM, giving it the ability to communicate with a remote server and receive commands. Once installed the second payload may read, send and process incoming SMS messages (potentially for mTAN interception or fraudulent premium billing subscriptions), install apps trasparently, communicate with a remote server using DES encryption.

This trojan is automatically downloaded to a user’s phone after visiting a malicious webpage that imitates the Android Market. The Trojan, which targets users in the United States by interacting with a number of premium SMS subscription services without consent, is able to sign-up a victim to a number of premium SMS subscription services without the user’s consent. This can lead to unapproved charges to a victim’s phone bill. Android users are directed to install this Trojan after clicking on a malicious in-app advertisement, for instance a Fake Battery Saver.

Repackaged and distributed in the form of “legitimate” applications, these two variants are different from the original one by re-implementing some of their malicious functionalities in native code and supporting two additional command and control (C&C) domains. The changes are possibly in place to make their detection and analysis harder.

The repackaged apps infected with the DroidKungFu variants are made available through a number of alternative app markets and forums targeting Chinese-speaking users.

Another example of a trojan which sends SMS to premium rate numbers. It also acts as a SMS Relay. It displays a standard Flash icon in the application list. The Trojan attempts to download an XML configuration file and uses it to retrieve a list of further URLs to send and receive additional data. The Trojan also contains functionality to perform the following actions: delete itself, delete SMS messages, send premium-rate SMS messages to the number that is specified in the downloaded XML configuration file, update itself.

This backdoor is a Trojanized copy of a legitimate gaming application for Android OS smartphones. It steals sensitive information of the affected phone’s SMS and calls functions, compromising the security of the device and of the user. It monitors the affected phone’s SMS and phone calls and sends stolen information to a remote URL. It also connects to a malicious URL in order to receive commands from a remote malicious user.

New variant of DroidDream Light in the Android Market, immediately removed by Google. Number of downloads was limited to 1000 – 5000. This is the third iteration of malware likely created by the authors of DroidDream.

ZiTMO arrives on Android! This threat is found bundled with repackaged versions of legitimate applications. When the Trojan is executed, it grabs a copy of all SMS messages received on the handheld device and sends them to a remote location.

Another threat found bundled with repackaged versions of legitimate applications. When the Trojan is executed, it grabs a copy of all SMS messages received on the handheld device and sends them to a remote location.

This threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server.

Trojan horse that sends SMS messages to premium-rate phone number. When the Trojan is executed, it retrieves information containing premium-rate phone numbers from a malicious URL then sends premium-rate SMS messages. and attempts to block any confirmation SMS messages the compromised device may receive from the premium-rate number in an attempt to mask its activities. The Trojan also attempts to gather IMSI and location information and send the information to the remote attacker.

This is a detection for Trojan horses that send SMS texts to premium-rate numbers. These Trojan is a repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace. The package name, publisher, and other details will vary and may be taken directly from the original application..

It belongs to the same NickiSpy family. However, it is significantly different from its predecessor since it is fully controlled by SMS messages instead of relying on a hard-coded C&C server for instructions. In addition, NickiBot supports a range of bot commands, such as for (GPS-based) location monitoring, sound recording and (email-based) uploading, calllog collection, etc. It also has a check-in mechanism to a remote website. his threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server.

Exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.

For this reason I decided to prepare a special birthday gift for the Android, that is a special compilation showing the long malware trail which characterized this day. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention. Moreover, as you will have probably noticed, the average impact is low, but, the number of malware is growing exponentially after June, this is the reason why I decided to divide my special compilation in two parts. Today is part I: from the beginning to May, the 31st 2011.

Let’s go in this mobile malware travel between botnets, sleepwalkers and biblic plagues and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.

First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data.

Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense.

First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands)

Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected.

Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit.

Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions:Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user trying to discipline users that download files illegally from unauthorized sites.

This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers.

A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World).

A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected.

Interesting Links

About This Blog

In this blog I express my personal opinion, which does not necessarily reflects the opinion of my organization, about events and news or interest, concerning information security, winking to mobile world and, why not, to some curious personal event.

Every information is reported with its source.

Anyone intending to use the information contained in my posts is free to do so, provided my blog is mentioned in your article.